Closed Bug 655991 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: frame not in stack space, at vm/Stack.cpp:273

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

shell testcase, unpack, chdir and run main.js with options "-n -m -a"
631 bytes, application/x-compressed-tar
Details 
The attached testcase asserts on TI revision 32e8c937a409 (run main.js with -m -n -a),
tested on 64 bit.
When getting a new frame in UncachedInlineCall, we would make a local copy of f.regs and repoint cx->regs to that (as the interpreter does).  In the TM branch this is an optimization, but for recompilation and frame expansion in the JM branch this is necessary as we want f.regs to reflect the state when the stub call was made for that f.  The problem was that if checking if we had space for the new frame triggered recompilation / inline frame expansion then the f.regs were being updated but the new cx->regs went stale.  We shouldn't make a local copy of cx->regs until we've checked there is space for the new frame and we are about to (infallibly) push it.  I don't think other places we make local copies of cx->regs have this issue (there are only a few).

http://hg.mozilla.org/projects/jaegermonkey/rev/0df33bc6cc38
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: